Week 52 – 2016

Last post of the year! Happy New Year peoples. Hope everyone’s holiday/break has been restful. I’m going to take a short break for the rest of the year and be back for Week 1 2017 😉

SOFTWARE UPDATES

  • Michael Hale Ligh has announced the release of Volatility 2.6.
    “This release improves support for Windows 10 and adds support for Windows Server 2016, Mac OS Sierra 10.12, and Linux with KASLR kernels. A lot of bug fixes went into this release as well as performance enhancements”. It can be downloaded from 
    GitHub.
    The Release of Volatility 2.6

  • Didier Stevens updated his PDF-Parser Python script to version 0.6.7, adding the -k option “to search for keys in dictionaries”.
    Update: pdf-parser Version 0.6.7

  • Cellebrite updated UFED PA to v5.4.6 however they haven’t uploaded the release notes. Digital Forensics Corp explains that the update fixes a few issues.
    UFED Physical Analyzer V. 5.4.6 Is Available Now

  • Paraben Corporation announced the release of E3:Universal, E3:DS, and E3:P2C Aurora edition 1.1, improving Android, iOS backup and Twitter support, as well as other improvements.
    E3 Aurora Edition 1.1 Released

  • GetData updated Forensic Explorer to v3.9.7.6140 with various bug fixes and minor updates.
    23 Dec 2016 – v3.9.7.6140

SOFTWARE/PRODUCT RELEASES

  • A couple weeks ago I published my RegRipper GUI Perl script but forgot to mention it here. As opposed to the already existing RegRipper GUI, this one will automatically run the selected plugin as long as the registry files are found in the selected directory. As a suggestion, don’t select the plugins that run on all plugins (ie: regtime) as the program will loop through each registry file listed in the plugin. Also, the registry files are required to be named as one would expect, so if you’ve renamed them they won’t run properly. You can get the script here.

  • Matt Graeber “wrote a parser to pull out ELAM driver approved anti-malware signer info” and released it on GitHub.
    Check Out @mattifestation’s Tweet

  • Joshua Trombley at OpenSec Labs has produced a handy script to automate the installation of Volatility on Win10’s Ubuntu subsystem.
    Volatility on Ubuntu on Windows 10

  • Not exactly a new release, but Matt Suiche has released the source code for Hibr2Bin (version 3.0) on GitHub. Many people would know of Hibr2Bin’s companion utility, Dumpit, which is one of the main players in RAM acquisition.
    Hibr2Bin

PRESENTATIONS/PODCASTS

  • Joshua James has posted a couple of videos on how to create Linux VMs using VirtualBox.
    [How to] Installing and updating Linux in Virtualbox

  • Yuri Gubanov has released a video on Forensic Focus showcasing Belkasoft’s Evidence Center 2017 v.8.3. The transcript and video can be found below.
    Webinars – 2016 Sneak Peek Into Belkasoft Evidence Center v.8.3

  • Lee Reiber talks about isolation of mobile devices. Lee explains that some of the older faraday boxes and bags may not block the higher frequency signals and instead recommends using airplane mode.
    Mobile Forensic Minute 103

  • John Lambert updated his presentation on “Office Macro Lures 2.0”
    Check out @JohnLaTwC’s Tweet

  • Sergie Alvarez aka Pancake presented at “33C3: works for me” about Radare.
    Radare Demystified: After 1.0

  • Jonathan Rajewski, the Director of the Senator Patrick Leahy Center for Digital Investigation at Champlain College, presented at TEDxBuffalo on how IoT is making Cybercrime investigation easier. This links quite nicely to the article shared by Forensic Focus; US investigators have requested Amazon Echo data from Amazon. This was inevitable as IoT devices store a wealth of information that may be useful in an investigation.
    How the IoT is Making Cybercrime Investigation Easier | Jonathan Rajewski | TEDxBuffalo

  • This week’s Digital Forensics Survival Podcast provides an overview on the Direct Memory Access exploit for bypassing passwords on locked devices. Attackers/examiners can utilise a tool like Inception and connect to a device via an interface that supports DMA (think Firewire, PC-Express, Thunderbolt) and are able to access and download a section of RAM. They are then able to obtain the login credentials and use them to access the locked device.
    DFSP # 045 – RUN DMA

  • Dave and Davida hosted the last Forensic Lunch of the year! David gave his thoughts on the GRR project and how it’s progressed and how they’ve used it in the field. David also talked about a few of the interesting cases that he worked on this year, and a couple of the things planned for 2017.
    Forensic Lunch 12/30/16

FORENSIC ANALYSIS

  • Digital Forensics Corp shared a number of articles this week
  • Matt Bromily’s Zeltzer Challenge continues!
    • Matt introduces a new tool he’s written called RedSketch, which converts Redline data into the Timesketch format.
      Scripting Saturday: Redsketch
    • Matt shares his thoughts on submitting talks to conferences and encourages people to do so – even with the possibility of rejection, the process of submitting means you’re getting yourself out there, and have found something you’ve thought is interesting enough to share. Rejection can come from any number of reasons and should be used to motivate you to either dig deeper or share the information elsewhere. If it’s something that you find indispensable then I’m sure another person will as well. It also seems that Matt’s offering himself up as a sounding board: “If you’ve got a new tool, method, or technique, I want to know. If you’ve got a way to teach an old dog new tricks …, then I want to know.” – If you’re hesitant about presenting something, or you don’t know if it will pass muster, then get out and talk to people about it and see if it’s something worth sharing!
      CFPs are for Everyone
    • This post expands on last Friday’s packet capture analysis and explores the VBE script (Encoded VBScript) that was located.
      Malware Monday: VBScript and VBE Files
    • Torvalds Tuesday focuses on Bash History. As Matt mentions, I’d highly recommend looking at this presentation on bash history to get an understanding of how it’s generated. Matt explains an interesting technique for adding context to bash history when timestamps aren’t turned on; for example looking at commands for package installs and then comparing them with the log identifying when the package was installed. Then, using other artefacts you can continue to add context, similar to how you can create a mini-timeline with the RecentDocs Windows registry key.
      Torvalds Tuesday: Bash History
    • This post provides an overview of the Prefetch forensic artefact, and how it can be used to provide information about program execution.
      Windows Wednesday: Prefetch Files
    • And progressing from looking at the artefact, Matt provides an overview of Eric Zimmerman’s PECmd Prefetch Parser.
      Tooling Thursday: PECmd

  • There were a few articles shared on Cyber Forensicator
  • Darlene Alvar shared a series of tips from their trainer, David Spreadborough, for using Amped FIVE.
    Amped Advent Calendar: useful tips and tricks in Amped FIVE

  • Andrew Swartwood at Between Two DFIRns has written a post describing how to replicate a few common analysis workflows from Bash into Powershell.
    DFIR Command Line Analysis – Moving from Bash to Powershell

  • Didier Stevens at NVISO Labs walks through some PDF analysis with his pdfid and pdf-parser tools.
    PDF Analysis: Back To Basics

  • The December 2016 Journal of Digital Investigation has been released.
    Digital Investigation – Volume 19, Pages A1-A4, 1-78 (December 2016)

  • Scott Piper at Summit Route walks through the setup process of go-audit a tool that “helps make sense of the data that can be collected with auditd”. He then shows how it can be used in conjunction with logstash and gcore to catch an attacker executing processes.
    Catching attackers with go-audit and a logging pipeline

  • There were a couple of articles on Forensic Focus this week
  • The SANS InfoSec Reading Room have posted Kaleb Fornero’s whitepaper on monitoring DNS for misuse. The paper outlines “the way in which DNS may be abused for command and control channels as well as data exfiltration by deconstructing deceptive packets and outlining the anomalies within them.”
    Is Anyone Out There? Monitoring DNS for Misuse

  • Guy Bruneau has posted on the SANS ISC Handler Diaries about how to use daemonlogger to capture traffic from one of two interfaces on his gateway, and forward a copy to “a third interface connected to [his] packet sniffer”.
    Using daemonlogger as a Software Tap

MALWARE

MISCELLANEOUS

And that’s all for 2016! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

2 thoughts on “Week 52 – 2016

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s